The Nature of the Problem
The real problem isn’t that the information on these lost or stolen laptops is being used; the problem is that it might be used, and that fact triggers the media announcements and the resulting uproar. So far, there have been almost no cases in which the information on the compromised computers has been used for identity theft. In fact, if you read the stories carefully, you’ll find that in many cases, such as the Veterans Administration theft, the data is in special formats that would be hard for an outsider to read. But still, it could be read, and that was enough to touch off the disciplinary actions, the firings, and the media frenzy.
Obviously, the first line of defense is to make sure that your organization’s laptops aren’t stolen. (Actually, the first line of defense is to see to it that sensitive information isn’t kept on laptops at all, but that’s a different kind of problem.) The second defense is to do everything you can to make sure that if the laptop does disappear, nobody is going to be able to read what’s on it. In other words, to encrypt the data beyond reasonable recovery.
Note the word "reasonable." In security, there are no absolutes. Given enough time and sufficient resources (and physical possession of the machine), it’s possible to crack anything. Apparently the U.S. intelligence community did just that with Iraqi terrorist Abu Masab al-Zarqawi’s laptop, which used encryption—and yielded a treasure trove of information anyway.
Generally the attacks on encrypted disks don’t go after the encryption algorithm directly. Most of the modern ones, such as Advanced Encryption Standard (AES) 256 and PKI, are just about impossible to crack. Instead, the bad guys go for weak spots in the encryption process or in Windows itself. For example, file-based products are really designed to protect data in motion over a network. When they’re (mis)used to protect disks, the data is frequently vulnerable because the file protection doesn’t extend to the swap files used by the Windows virtual memory system, or the copies made in the process of printing.
However, good encryption software, properly used and properly managed, can make it virtually certain that the bad guy who walked off with your computer can’t get anything off it.
Encryption software for laptops and other computers isn’t new. In fact, it’s a fairly mature technology that has been available for a decade or more, and a number of products have well-established track records.